Hi everyone, I really need some help. I've already tried some KBs but no luck.
I'm having some trouble configuring my branch office users to connect to my Active Directory Server on the head office site.
I have already set up IPSec VPN from Head Office (Sophos XG 115) to Branch Office (Sophos XG 105 without license).
I have already followed the KBs: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationAllowSTASOverVPN/index.html#introduction
What is happening:
By the time I login in the computer on the branch office (using a domain user), Sophos Firewall at Head Office gets the IP from Sophos Firewall Branch Office and not the IP from the workstation. After logging in, the browser pops up the login page from sophos firewall from Head Office. I can log through it normally, but the transparent authentication won't work.properly.
Sophos Firewall on the Head Office site: 192.168.1.1
Sophos Firewall on the Branch Office site: 192.168.5.1
Workstation on the Branch Office site: 192.168.5.20
Domain controller: 192.168.1.11
For the Head Office network users, it is everything ok with STAS. I`ve already set up the Servers, Services and STAS tab below like my Head Office Firewall.
Head Office Sophos Firewall:
Here it should be 192.168.5.20.
What can I do so Sophos Firewall gets the correct IP 192.168.5.20 from the workstation on Branch Office site?
Thank you guys.
Hello techblue,Thank you for reaching out to the community, is client auth for VPN zone enabled under the administration > device access ?
Thank you for reaching out to the community, On STAS you can verify under "Sophos Appliance" Field edit and check whether "Enable Subnet based filter" is applied or not as per the below snapshot reference
Thanks and Regards
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
No, it wasn't checked.Should I leave like the snapchat bellow?
Hi Bharat J
I did like the snapshot I've just sent, but nothing has changed. The HO Firewall keeps picking the user IP 192.168.1.1 :/
What else should I review?
This is really driving me crazy.
Please enable filter for both network as you did for 192.168.5.0 on STAS software
Still no success :/
Please restart the STAS Service from AD server and from Sophos firewall under CONFIGURE > System service > Services
Just to update this post;
As we talked before, restarting the service didn't solve the problem.
Hello techblue,Can you once verify the configs from the best practice guide of STAS: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-xg-firewall-best-practice-for-stas
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Please share the current firmware version running on Sophos XG
It's everything running well. I have my local users using STAS for many years. The STAS on AD Server gets the IP 192.168.1.1 and not the workstation IP from Branch Office. We have tried even connecting through CAA on BO, but stil HO gets IP 192.168.1.1. Sophos Firewall from BO won't appear in STAS as well.
SFOS 17.5.17 MR-17-Build837